Delegation and HITL approvals¶

A2A delegation chain signing, verification, and HITL approval records. See Tutorial: A2A delegation chains and Tutorial: HITL approval workflows.

Delegation chain¶

DelegationHopSigner `dataclass` ¶

Signs a single delegation hop.

sign_hop ¶

sign_hop(*, hop: int, principal_id: str, principal_type: str, delegated_at: str, scope_grant: dict[str, Any], manifest_id: str) -> str

Return base64url-encoded signature over the hop's canonical pre-image.

verify_delegation_chain ¶

verify_delegation_chain(delegation_chain: list[dict[str, Any]], public_keys: dict[str, bytes], manifest_id: str) -> None

Verify all hops in a delegation chain.

Checks

Each hop signature is valid for its principal's key.
Hop indices are sequential starting from 0.
Scope at each hop is not broader than the previous hop's grant.
Chain depth does not exceed root hop's max_delegation_depth.

Parameters:

Name	Type	Description	Default
`delegation_chain`	`list[dict[str, Any]]`	List of hop dicts from the manifest.	required
`public_keys`	`dict[str, bytes]`	Map of principal_id -> raw Ed25519 public key bytes.	required
`manifest_id`	`str`	Manifest ID to include in pre-image (replay protection).	required

Raises:

Type	Description
`InvalidSignature`	If any hop signature is invalid.
`ValueError`	If scope laundering is detected or chain is malformed.

HITL approvals¶

HitlApprovalSigner `dataclass` ¶

Signs a HITL approval record.

In production, the keypair should be backed by a hardware security key (FIDO2/passkey or HSM). The signature proves the approver deliberately approved this exact scope at this exact time for this exact manifest.

sign_approval ¶

sign_approval(*, manifest_id: str, approved_at: str, approved_scope: dict[str, Any], approver_id: str) -> str

Return base64url-encoded approval signature.

verify_hitl_approval ¶

verify_hitl_approval(approval: dict[str, Any], manifest_id: str, approver_public_key: bytes) -> None

Verify a single HITL approval signature.